0

We are developing an MVC .NET Core project with VS19. We are also using Devextreme. We have several cshtml files with devextreme components and templates.

Templates in DevExtreme ASP.NET MVC Controls support ERB-style syntax. The following constructions are available.

  • <% code %> - executes the code.
  • <%= value %> - prints the value as is (for example, John).
  • <%- value %> - prints the value escaping HTML (John becomes <b>John</b>).

Implementing Templates

In the past we only used the

  • <%= value %> - prints the value as is (for example, John).

which leaded into some injections in a pen test.

As a result we now only are using the

  • <%- value %> - prints the value escaping HTML (John becomes <b>John</b>).

We are also using sonarqube. The idea now is that we want to create a rule that gets triggered if someone dont uses the correct escaping. But how can i achieve that? As far as i understand this topic after a day of research is, that you cant create rules for (cs)html & c# in sonarqube. Which leaded me to some research in writing a roslyn analyzer that exports it results to sonarqube. But i found out that even these ones dont get triggered by cshtml files. Nevertheless i get some warnings in cshtml files if i create anonymous js functions:

enter image description here

Where does it come from? How can i create own rules that are applied on cshtml files?

kind regards david

syc
  • 163
  • 1
  • 8

1 Answers1

0

Your scenario may not be directly supported. I presume you reviewed Importing Issues from Third-Party Roslyn Analyzers (C#, VB.NET)

SonarQube analyzes code based on (mapped) extension. Just guessing now ...

We have .cshtml mapped to language type HTML (YMMV). This is under Administration | Configuration | General Settings | HTML - {SQ_URL}/admin/settings?category=html (which also covers .jsp). Perhaps your is mapped to type JavaScript (JS) ? Try undo your mapping?

Ian W
  • 4,559
  • 2
  • 18
  • 37